The first section of the Order continues to primarily address cybersecurity risk management and IT modernization within the executive branch consistent with the Revised Draft and Executive Order 13636 signed by President Obama. The Order incorporates nearly all of the Revised Draft’s language in this section, with minor exceptions.

For instance, the Order specifies additional content for risk management reports, such as requiring each agency to include an action plan for implementing the NIST Framework for Improving Critical Infrastructure Cybersecurity. The Order also departs from the Revised Draft by instructing the Director of the American Technology Council, a position recently established by an EO issued on May 1, 2017, instead of the Assistant to the President for Intragovernmental and Technology Initiatives to “coordinate a report to the President . . . regarding [the] modernization of Federal IT.” Further, the modernization report must be completed within 90 days of the signing of the Order, not 150 days as initially stipulated in the Revised Draft.

Section 2: Cybersecurity of Critical Infrastructure

Minor changes were also made to the second section of the Order, which details the executive branch’s support for critical infrastructure. Section two of the Order now includes a paragraph titled “Resilience Against Botnets and Other Automated, Distributed Threats” that focuses specifically on the threats posed by botnets. Pursuant to the final Order, the Department of Homeland Security (“DHS”) and Department of Commerce (“DOC”) are directed to “identify and promote action by appropriate stakeholders . . . in the internet and communications ecosystem . . . with the goal of dramatically reducing threats perpetrated by automated and distributed attacks (e.g. botnets).”

Moreover, the final Order arguably requires DHS and DOC to work with a much broader group of stakeholders in fulfilling this mandate. The earlier draft order only required DHS and DOC to include stakeholders from “core communications infrastructure.” However, the final Order requires DHS and DOC to work with stakeholders, including owners and operators, throughout the “internet and communications ecosystem.” DHS and DOC are required to make public a preliminary report about these efforts within 240 days and submit a final report to the President within one year.

Section 3: Cybersecurity for the Nation

The third section of the Order includes new requirements relating to international cooperation not found in the previous drafts. The final Order also reincorporates a section from the first draft of the order focused on efforts to educate and develop a sustainable cybersecurity workforce.

With respect to international cooperation, the Order now recognizes that the U.S. is “especially dependent on a globally secure and resilient internet and must work with allies and other partners.” To that end, the Order directs the Secretaries of States, Treasury, Defense, Commerce, and Homeland Security, in coordination with the Attorney General and Director of the Federal Bureau of Investigation, to submit a report to the President outlining their international cybersecurity priorities, “including those concerning investigation, attribution, cyber threat information sharing, response, capacity building, and cooperation” within 45 days.

To encourage the sustained growth of the domestic cybersecurity workforce, the Order also instructs the Secretaries of Commerce and Homeland Security, in consultation with other agencies, to provide a report to the President within 120 days that assesses ongoing efforts to train and educate the “cybersecurity workforce of the future, including cybersecurity-related education curricula, training, and apprenticeship programs.” The report must also include findings and recommendations that “support the growth and sustainment of the Nation’s cybersecurity workforce in both the public and private sectors.”

The Director of National Intelligence (DNI) and Secretary of Defense are also required to coordinate and submit their own reports relating to workforce development. The DNI’s report will focus on “foreign workforce development practices likely to affect long-term . . . cybersecurity competitiveness” in the U.S. and must be submitted within 60 days. The Secretary of Defense’s report will examine U.S. efforts to maintain or increase “its advantage in national security-related cyber capabilities.”

About the Covington Data Privacy and Cybersecurity group

Repeatedly ranked as having one of the best privacy practices in the world, Covington combines exceptional substantive expertise with an unrivaled understanding of the IT industry, and of e-commerce and digital media business models in particular. Read More